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DETAILED ACTION 



1. 



Claims 1-39 have been re-examined and are pending. 



2. 



This is a Final rejection. 



Claim Rejections - 35 USC §102 



The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form 
the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 
122(b), by another filed in the United States before the invention by the applicant for patent 
or (2) a patent granted on an application for patent by another filed in the United States 
before the invention by the applicemt for patent, except that an international application 
filed under the treaty defined in section 351(a) shall have the effects for purposes of this 
subsection of an application filed in the United States only if the international application 
designated the United States and was published under Article 21(2) of such treaty in the 
English leinguage. 

3. Claims 1-39 are rejected under 35 U.S.C. 102(e) as being anticipated 
by Yavatkar, et al. (US 6,735,702). 



As per claim 1: 

discloses gateway device disposed between a data center and a network for 
thwarting denial of service attacks on the data center, the gateway device 
comprises: a computing device comprising: 

a monitoring process that monitors network traffic through the gateway; 

[coLl, lines and col.7, lines 43-48] 
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a communication process that communicate statistics collected [col.2, 
lines 4-5 and 53-60 and col.3, lines 28-45; statistics from the monitoring 
process is inherently gathered data of similarities or differences used for 
analysis purposes to determine the attacks and kind of traffic on the 
gateway.] in the gateway from the monitoring process with a control center and 
that receives queries or instructions from the control center; [col.3, lines 25- 
29 and col. 1 1, lines 5 1-55] 

and a filtering process to insert filters on network devices [col.3, lines 
46-53 and col.l3y lines 56-62] to filter out packets that the gateway deems to 
be part of an attack. [coL20, lines 20-21] 

As per claim 2: See col.2, lines 57-59; discussing the communication 
process couples to a dedicated link to communicate with the control center 
over a hardened network. 

As per claim 3: See col.7, lines 43-45; discussing the monitoring process in 
the gateway samples network packet flow in the network. 

As per claim 4: See col.7, lines 43-44; discussing the gateway is adaptable 
to be physically deployed in line in the network. 

As per claim 5: See col. 14, lines 26-28 and col. 15, lines 38-39; 

discussing the gateway is adaptable to djoiamically install filters on nearby 
routers. 

As per claim 6: See col. 13, lines 4-29 and col. 15, lines 30-33; discussing 
the monitoring process detects IP traffic and determines levels of unusual 
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amounts of IP fragmentation or fragmented IP packets with bad or overlapping 
fragment offsets. 

As per claim 7: See col. 13, lines 44-53 and col. 15, lines 19-21; 

discussing the monitoring process detects Internet Protocol (IP) traffic and 
determines levels of IP packets that have bad source addresses or Internet 
Control Message Protocol (ICMP) packets with broadcast destination addresses. 
As per claim 8: See col. 13, lines 4-29 and col. 15, lines 30-33; discussing 
monitoring process detects Internet Protocol (IP) traffic and determines levels of 
Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) packets 
to unused ports. 

As per claim 9: See col. 15, lines 30-33; discussing monitoring process 
detects IP traffic and determines levels of TCP segments advertising unusually 
small window sizes, which may indicate a load on the data center, or TCP ACK 
packets not belonging to a known connection. 

As per claim 10: See col.l, lines 27-31; discussing monitoring process 
detects sustained rate higher than plausible for a human user over a persistent 
HTTP connection. 

As per claim 11: See col.2, lines 53-55; discussing monitoring process 
maintains statistical summary information of traffic over different periods of 
time and at different levels of detail. 

As per claim 12: See col.2, lines 4-5 and col.3, lines 30-32; discussing 
monitoring process maintains statistics on parameters including source and 
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destination host or network addresses, protocols, types of packets, number of 

open connections or of packets sent in either direction. 

As per claim 13: See col. 14, lines 54-58 and col. 15, lines 26-27; 

discussing monitoring process has configurable thresholds and issues a 
warning when one of the measured parameters exceeds the corresponding 
threshold. 

As per claim 14: See col.2, lines 4-5; discussing monitoring process logs 
packets. 

As per claim 15: See col.5, lines 13-20 and coL13, lines 61-63; discussing 
monitoring process logs specific packets identified as part of an attack to 
enable an administrator to identify important properties of the attack. 
As per claim 16: 

method of protecting a victim site during a denial of service attack, comprises: 

disposing a gateway device between the victim site and a network; [coL7, 
lines 43-48] 

monitoring network traffic through the gateway and measuring 
heuristics of the network traffic to provide statistics network traffic ; [001.2, 
lines 4-5 and 53-60 and coL3, lines 28-45; statistics from the monitoring 
process is inherently gathered data of similarities or differences used for 
analysis purposes to determine the attacks and kind of traffic on the 
gateway.] 



Application / Control Number: 09/931 ,344 Page 6 

Art Unit: 2135 

communicating the statistics collected in the gateway to a control center; 
[col. 10, lines 15-17 and col. 14, lines 59-65] 

and filtering out packets that the gateway or control center deems to be 
part of an attack, [col. 13, lines 53-62 and col.20, lines 20-21] 
As per claim 17: See col.2, lines 57-59; discussing communicating 

occurs over a dedicated link to the control center via a hardened network. 
As per claim 18: See col.2, lines 53-55 and coL7, lines 43-45; 

discussing monitoring samples network packet flow in the network. 
As per claim 19: See col.7, lines 43-44; discussing the gateway is 

physically deployed in line in the network. 

As per claim 20: See col. 14, lines 26-28 and col. 15, lines 38-39; 

discussing filtering further comprises: dynamically installing filters on nearby 
routers via an out of band connection. 

As per claim 21: See col. 13, lines 4-29 and col. 15, lines 30-33; 

discussing monitoring further comprises: detecting IP traffic and determining 
levels of unusual amounts of IP fragmentation or fragmented IP packets with 
bad or overlapping fragment offsets. 

As per claim 22: See col. 13, lines 44-53 and col. 15, lines 19-21; 

discussing monitoring further comprises: detecting Internet Protocol (IP) traffic 
and determining levels of IP packets that have bad source addresses or Internet 
Control Message Protocol (ICMP) packets with broadcast destination addresses. 
As per claim 23: See col. 13, lines 4-29 and col. 15, lines 30-33; 
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discussing monitoring further comprises: detecting Internet Protocol (IP) traffic 
and determining levels of Transport Control Protocol (TCP) or User Datagram 
Protocol UDP packets to unused ports. 

As per claim 24: See coLlS, lines 30-33; discussing monitoring 

further comprises: detecting IP traffic and determines levels of TCP segments 
advertising unusually small window sizes, which may indicate a load on the 
data center, or TCP ACK packets not belonging to a known connection. 
As per claim 25: See coLl, lines 27-31; discussing monitoring further 

comprises: detecting a sustained rate of reload requests that is higher than 
plausible for a human user over a persistent HTTP connection. 
As per claim 26: See col.2, lines 4-5 and coL3, lines 30-32; 

discussing monitoring further comprises: logging statistics on parameters 
including source and destination host or network addresses, protocols, types of 
packets, number of open connections or of packets sent in either direction. 
As per claim 27: See col.l4) lines 54-58 and col. 15, lines 26-27; 

discussing monitoring further comprises: issuing a warning to the control 
center when one of the measured parameters exceeds a corresponding 
configurable threshold. 

As per claim 28: See coL5, lines 13-20 and col. 13, lines 61-63; 

discussing monitoring further comprises: logging specific packets identified as 
part of an attack to enable an administrator to identify important properties of 
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the attack. 

As per claim 29: 

computer program product residing on a computer readable medium for 
protecting a victim site during a denial of service attack, comprises instructions 
for causing a computer device coupled at an entry to the site to: 

monitor network traffic sent to the victim site and measure heuristics of 
the network traffic to provide statistics on the network traffic ; [coL2, lines 4-5 
and 53-60 and col.3, lines 28-45; statistics from the monitoring process is 
inherently gathered data of similarities or differences used for analysis 
purposes to determine the attacks and kind of traffic on the gateway.] 

communicate statistics collected in the computer device to a control 
center; and [coL2, lines 4-5 and col.3, lines 30-38] 

filter out packets that the device or control center deems to be part of an 
attack. [coL13, lines 53-62 and col.20, lines 20-21] 

As per claim 30: See col.2, lines 53-55; discussing sample network 

traffic flow. 

As per claim 31: See col. 14, lines 26-28 and col. 15, lines 38-39; 

discussing instructions to filter further comprise instructions to: dynamically 

install filters on nearby routers via an out of band connection. 

As per claim 32: See col. 13, lines 4-29 and col. 15, lines 30-33; 

discussing instructions to monitor further comprise instructions to: detect IP 
traffic; and determine levels of unusual amounts of IP fragmentation or 
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fragmented IP packets with bad or overlapping fragment offsets. 

As per claim 33: See coL13» lines 44-53 and col. 15, lines 19-21; 

discussing instructions to monitor further comprise instructions to: detect 
Internet Protocol (IP) traffic; and determine levels of IP packets that have bad 
source addresses or Intemet Control Message Protocol (ICMP) packets with 
broadcast destination addresses. 

As per claim 34: See coL13y lines 4-29 and col. 15, lines 30-33; 

discussing instructions to monitor further comprise instructions to: detect 
Internet Protocol (IP) traffic; and determine levels of Transport Control Protocol 
(TCP) or User Datagram Protocol UDP packets to unused ports. 
As per claim 35: See col. 15, lines 30-33; discussing instructions to 

monitor further comprises instructions to: detect IP traffic; and determine 
levels of TCP segments advertising unusually small window sizes, which may- 
indicate a load on the data center, or TCP ACK packets not belonging to a 
known connection. 

As per claim 36: See col.l, lines 27-31; discussing instructions to 

monitor further comprises instructions to: detect a sustained rate of reload 
requests that is higher than plausible for a human user over a persistent HTTP 
connection. 

As per claim 37: See col.2, lines 4-5 and coL3y lines 30-32; 

discussing instructions to monitor further comprises instructions to: log 
statistics on parameters including source and destination host or network 
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addresses, protocols, types of packets, number of open connections or of 
packets sent in either direction. 

As per claim 38: See col. 14, lines 54-58 and col. 15, lines 26-27; 

discussing instructions to monitor further comprises instructions to: issue a 
warning to the control center when one of the measured parameters exceeds a 
corresponding configurable threshold. 

As per claim 39: See coL7, lines 43-55; discussing instructions to 

cause the processor to receive communications from a control center to deliver 
data pertaining to the types of traffic passing through the gateway. 



Response to Arguments 

4. Applicant's arguments with respect to claims 1-39 have been considered 
but are not persuasive. 

The claimed invention broadly claims to insert filters on network devices 
where this can be any device that is within or on a network. Hence, the 
network device is in the form of network nodes or a gateway where the filters 
are positioned or inserted at the network nodes (col.3, lines 48-50 and col. 7, 
lines 43-48). Statistics was not limited to any kind or what is involved as part 
of the statistic in applicant's invention. Statistics from the monitoring process 
is inherently gathered data of similarities or differences used for analysis 
purposes where the gathered data from the monitoring process is to determine 
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the attacks and kind of traffic on the gateway (coL2, lines 4-5 and 53-60 and 
coL3, lines 28-45). 



Conclusion 

5. Applicant's amendment necessitated the new ground(s) of rejection 
presented in this Office action. Accordingly, THIS ACTION IS MADE FINAL. 
See MPEP § 706.07(a). Applicant is reminded of the extension of time policy as 
set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply 
is filed within TWO MONTHS of the mailing date of this final action and the 
advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on 
the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1. 136(a) will be calculated from the mailing date of the advisory action. In 
no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications 
from the examiner should be directed to LEYNNA T. HA whose telephone 
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number is (571) 272-3851. The examiner can normally be reached on Monday 
- Thursday (7:00 - 5:00PM). 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Kim Vu can be reached on (571) 272-3859. The fax 
phone number for the organization where this application or proceeding is 
assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see 
http://pair-direct.uspto.gov. Should you have questions on access to the 
Private PAIR system, contact the Electronic Business Center (EBC) at 866-217- 
9197 (toll-free). 
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